According to security firm Exodus, the patch to Internet Explorer 6, 7 and 8 released on December 31 only fixed one of several ways to exploit a weakness in Microsoft’s browser. In their research on this exploit, Exodus continued to develop more aggressive ways to exploit the documented weakness and in doing so, uncovered a means that bypasses Microsoft’s fix, but are witholding details from the public until Microsoft has a chance to address their findings. A number of human rights and government sites have been compromised with malware agents that exploit this weakness and appears to be part of a larger campaign by the “Elderwood Gang” – a highly effective and well-backed group of hackers that have been targeting high-profile government sites since 2009, ostensibly with financial and espionage-based goals.
What this means for you:
Internet Explorer 6, 7 and 8 are still considered vulnerable, though no one has documented any websites yet taking advantage of the exploits discovered by Exodus. The fact that there are still holes in IE browser security will not go unnoticed, and if Exodus can develop work-arounds for Microsoft’s patch, you can bet groups like “Elderwood” will be able to do the same, if they haven’t already. Your best short-term solution is to either use another browser like Chrome or Firefox until Microsoft can fully patch this weakness, or upgrade your Internet Explorer to version 9 or 10 as soon as possible. If you are working for an organization or using software that requires backward compatibility to IE 7 or 8, you should consider having a serious discussion with the IT department about their reasons for maintaining what is increasingly becoming an untenable stance. If you are required to use IE 6 for some unfathomable reason, you should stop what you are doing immediately and consult with an IT professional, as IE 6 is a magnet for security exploits.
It might be the last day of 2012, but there’s still time to issue yet another patch to fix a zero-day exploit in Microsoft Internet Explorer 6, 7 and 8. Confirmed on Saturday by Microsoft, this patch fixes a vulnerability in all versions of IE prior to v9 that may allow hackers to gain control over a victim’s machine. This latest weakness is likely to be exploited when a computer using one of the versions of the aforementioned browser visits a malicious website, allowing it to run code that can corrupt the memory on the victim’s computer and from there execute malicious code as the logged in user, potentially resulting in backdoor installations, malware infections, and zombification.
What this means for you:
It’s conceivable you are still running IE 8 which was released in 2011, so you may be affected by this weakness. If you are running IE7 or, impossibly, IE6 (it was released in 2001 – over 10 years ago!), I’d say you are better off upgrading to the latest version of IE you can reasonably run on your computer, and then making sure it is patched appropriately.
Hackers are now taking advantage of conscientious users who have been repeatedly warned by folks like myself to keep their software, specifically their browsers, up to date. If a user happens to surf to a website hosting this new style of attack, they will be presented with a realistic-looking warning that asserts their browser is out of date, but if they click the convenient link to update the browser, they instead be infected with a trojan that will forcibly change the browser homepage to a site that will deliver a full payload of malware. If the user is unfortunate enough to have his or her anti-malware software overrun, they will quickly have a severely compromised computer.
What this means for you:
You should only ever download updates for your software from the manufacturer’s website, as it’s extremely unlikely for manufacturers to use third-party hosts for software updates. In the above example, users were directed to download an update from a domain “securebrowserupdate” which is something Microsoft, Google, Mozilla or Apple would never do for their browsers. If you happen across a pop-up warning that an update is available for your browser, and you aren’t sure it’s legitimate, close it, then check your update status through the browser’s built into the interface, usually under the “Help” menu. Still not sure? Why not call an expert like C2?
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
A recent study by security firm NSS Labs shows that Google’s Chrome browser still has the best detection rate (94%) for spotting phishing URLs, and on average, new malware sites are reported and blocked by all browsers within 5 hours of discovery, a significant improvement over the 16+ hours that same process would have taken in 2009. Firefox showed the best response time to reporting and blocking new sites at 2.3 hours – more than twice as quick as IE10.
What this means for you:
All of the major browsers have significantly improved their ability to protect users, to the point that there is very little statistical difference in their security capabilities. Many of my clients still ask me if one is better than the other, and the answer is always, “It depends on what you need the browser to do.” I still use Chrome for most of my work, but there are still enough times when I’m working with online apps that only work with Internet Explorer. The most important factor to consider is making sure whatever browser you do use is kept up to date, and that you practice safe and cautious surfing whenever working with unfamiliar websites.
In a rare, out-of-band release, Microsoft released an update on Sept 21 that patched the much bally-hooed vulnerability that affected all versions of its browser as far back as IE 6. This security flaw was significant enough to warrant the German government recommend to its citizens that they use another browser until MS could address the exploit, which it did on the 19th in a “fixit” tool downloadable via their website, and now in an MS Update that will be delivered automatically to all validated Windows OS systems.
What this means for you:
Microsoft normally releases its updates on Tuesday, so the more savvy among you might have already noticed the unusual appearance of an update request from your Windows machine as early as last Friday evening. Regardless of when you see it, you should allow update to download and patch your OS as soon as possible, especially if you use IE as your internet browser. If your computer is managed by a corporate IT department, the update may go through internal testing before being released to update your computer. Assuming you’ve not made any changes to how your OS stays up to date, you should be patched, or will be patched the next time you reboot your computer. To make sure you’ve received this update, you can visit your Control Panel, open Windows Update and check your update history for “Cumulative Security Update for Internet Explorer (2744842)”. If this has been successfully installed, you been patched!
Ars Technica is reporting that there was a significant increase in exploitation attacks over the weekend on a previously unknown vulnerability in Microsoft’s Internet Explorer, including the most recent version, IE9. What’s very unusual is that this vulnerability appears to occur in all major versions of Microsoft’s OS, including Windows XP, Vista and 7, and and uses the Adobe Flash Player plugin to gain a foothold on a user’s computer. This exploit has been able to circumvent most commercial anti-virus and anti-malware programs in use currently.
What this means to you:
On an Apple computer like an iMac or MacBook? Nothing you need to worry about – this exploit only affects Windows-based computers.
For all Windows users: Until Microsoft admits to, and then patches this vulnerability (so far they haven’t responded), and until the major anti-malware manufacturers like McAfee, Symantec, etc. can successfully detect and protect against this exploit, using any version of Internet Explorer will come with increased risk, especially if you surf to unknown or undocumented sites (ie. follow a link sent by a friend or co-worker, without knowing whether the link is legitimate). If it’s possible, I would recommend installing and using Google Chrome or Mozilla Firefox, at least until MS can patch this vulnerability.
At minimum:
- Make sure your computer has a working anti-virus program installed, updated and running.
- Avoid browsing websites with which you are unfamiliar.
- Stay alert for unusual behavior on your computer, such as sluggish performance, unusual pop-up windows and inability to surf to websites, specifically anti-virus websites and the alternate browser sites that I linked above.
Keep in mind, if your computer is managed by an IT department, using a browser other than IE may not be allowed, or, if it is allowed, Chrome and/or Firefox may not work with some of your company’s web applications, as many are designed and tested to work with IE only.
- 1
- 2






![Internet_Explorer_7_Logo[1].png Internet_Explorer_7_Logo[1].png](https://c2techs.net/wp-content/uploads/2012/09/Internet_Explorer_7_Logo[1]_0-460x260_c.png)
![Internet_Explorer_7_Logo[1].png IE Logo](https://c2techs.net/wp-content/uploads/2012/09/Internet_Explorer_7_Logo[1]-460x260_c.png)